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Abstract 



Location distinction is defined as determining whether or not the position of a device has changed. We 
introduce methods and metrics for performing location distinction in multiple-input multiple-output (MIMO) 
wireless networks. Using MIMO channel measurements from two different testbeds, we evaluate the performance 
of temporal signature-based location distinction with varying system parameters, and show that it can be applied 
Q I to MIMO channels with favorable results. In particular, a 2x2 MIMO channel with a bandwidth of 80 MHz allows 

a 64-fold reduction in miss rate over the SISO channel for a fixed false alarm rate, achieving as small as 4 x 10^^ 
probability of false alarm for a 2.4 x 10^'' probability of missed detection. The very high reliability of MIMO 
^ ■ location distinction enables location distinction systems to detect the change in position of a transmitter even when 

CN| ' using a single receiver. 

o ■ 

^ I. Introduction 

■ Location distinction is defined as determining whether or not the position of a device has changed. 
^ In the context of a wireless network, this means detecting when a transmitter changes its position via 
, measurements made at one or more receivers, or vice versa. 

' Location distinction is fundamentally different from localization, in that location distinction is not 
^ concerned with the position of the transmitter, only whether or not it has moved. Location distinction 
should work under two use cases: (1.) when a wireless device is continuously moving; and (2.) when a 
wireless device and access point are stationary for a long time and suddenly a transmission with the same 
claimed identity is sent from a new location. Under use case (1.) the algorithm should detect a new location 
with each transmission, while under use case (2.) the algorithm should decide the new transmission is 
from a different location. 

The ability to perform location distinction provides several benefits, including an improved capability 
to monitor the positions of radio-tagged objects, better energy conservation in radio localization systems, 
and a means to detect impersonation attacks in wireless networks 0], [|2||. Location distinction has been 
shown to be useful in detecting the Sybil attack [3J, [|4J. Other work has also shown that characteristics of 
the physical layer of wireless networks, such as received signal strength (RSS), channel impulse response 
(CIR), or channel frequency response can be exploited to detect changes in transmitter/receiver positions 

mi, m, m, m. 

Multiple-input multiple-output (MIMO)-capable devices represent the state-of-the-art in wireless net- 
working and have enabled significantly improved spectral efficiencies in wireless networks. Many new 
wireless standards, such as 802.1 In, WiMax, and 4G cellular, take advantage of MIMO technology. 
Enhancing these standards with the capability to perform location distinction would offer extra security 
against impersonation attacks. For example, the 802.1 In standard is vulnerable to impersonation and 
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denial-of-service attacks because the MAC addresses of network clients are sent over the air unencrypted 
and may be eavesdropped on and used by an attacker in order to masquerade as a legitimate client. 

Previous work has suggested using channel measurements gathered between a single transmitter and 
multiple receivers in order to perform location distinction [[5l, ffTl, [171, [|4l, [[9J. However, in typical WiFi 
networks, adjacent access points are set to operate on different channels in order to reduce interference 
and a client operates on a single channel. This makes collecting channel data at multiple access points 
difficult. Extending location distinction to MIMO allows robust location distinction to be performed with 
a single receiver. 
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Fig. 1. Location distinction measures link signatures from received packets, and then raises an alarm if the current measurement differs 
greatly from those in the history. 

This paper evaluates the performance of the general location distinction algorithm shown in Figure 
[H in which channel impulse response measurements, called link signatures, are measured over time for 
a given link, and each new link signature is compared to those in a history of previous measurements 
in order to detect changes in position. To the authors' knowledge no implementation and experimental 
evaluation of MIMO-based location distinction has been performed. We present the following work in 
order to characterize the performance of temporal signature-based location distinction in the context of a 
MIMO channel: 

1) We introduce MIMO temporal link signatures for quantifying the state of the MIMO channel. 

2) We perform two measurement experiments with two different experimental testbeds in order to 
evaluate location distinction under two distinct use cases. 

3) We evaluate spatially dense channel measurements in order to study the spatial evolution of temporal 
link signatures. 

4) We evaluate several trade-offs between system design parameters and performance, including: link 
signature history size, bandwidth, complex vs. magnitude- only signatures, use of delay between 
measurements, and number of antenna elements. 

The results show that MIMO location distinction algorithms perform well in a variety of experimental 
conditions. For example, we achieve a 4 x 10"'' probability of false alarm for a 2.4 x 10"'^ probability of 
missed detection using a 2x2 MIMO channel with a bandwidth of 80 MHz, and a 3 x lO"'' probability of 
missed detection for a false alarm rate of 0.01 using a 1x2 SIMO channel with a bandwidth of 20 MHz. 

Additionally, we show that: 

1) In the context of spatially dense link signature measurements (inter-measurement distances < A), 
it is necessary to introduce a delay between past and current measurements in order to reliably 
perform location distinction. The size of delay depends on the spatial density of the measurements. 

2) The number of link signatures to store in the history depends on the amount of temporal variation 
in the link signatures when the wireless device is stationary. 

3) The most significant performance gain for MIMO vs. SISO location distinction occurs in the move 
from SISO to 2x2 MIMO. Further increasing the number of antenna elements offers diminishing 
returns. 

4) When random phase shifts due to imperfect synchronization are removed, complex link signatures 
lead to better performance than magnitude-only link signatures. 
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5) Increasing the bandwidth of the link signatures offers diminishing returns after about 20 MHz. In 
fact, higher bandwidth measurements are more susceptible to synchronization errors. 

This paper is organized as follows. In Section [III we describe the link signatures, metrics, and MIMO 
location distinction algorithm. In Section Unl we discuss two measurement experiments, which we will 
refer to as Experiment I and Experiment II. In Section |IVl we present testing results and analysis of the 
MIMO location distinction algorithm. We discuss related work in in Section |Vl Conclusions and future 
work are presented in Section |Vll 

II. Methods 

In this section, we first describe the link signatures we use for location distinction and the difference 
metrics we use to quantify changes in them. Next, we present a real-time location distinction algorithm 
and the framework for testing this algorithm. 

A. Link Signatures 

We define the nth complex temporal link signature (CTLS) calculated for the cth transmitter/receiver 
antenna pair as 

fW = [/,W(o), hf\m), h^\{M - i)r,)] (1) 

where }i'c'\t) is the band-limited channel impulse response as a function of delay r, M is the number 
of samples, is the sampling period, and c E S, where 

5 = {l,...,A;i}x{l,...,A;2}. (2) 

The number of transmitter and receiver antennas are represented by ki and ^2, respectively. We also 
define the nth temporal link signature (TLS) calculated for the cth transmitter/receiver antenna pair as 

g(") = [\ht\Q)l \h^-\m\ \h^:\{M - 1)T,)|]. (3) 

The MIMO channel measurements used in this paper are gathered using either a multitone probe or 
preamble-based channel estimation, both of which are described in Section [nil In both cases, time-domain 
representations of the channel response are used for link signatures. 

We let the nth MIMO complex temporal link signature (MIMO CTLS) be the concatenation of the set 
of complex temporal link signatures measured between the first ki x k2 transmitter and receiver antennas: 

F" = [f4"),...,fW], (4) 

where ci, is a list of the elements of S. 

Finally, we let the nth MIMO temporal link signature (MIMO TLS) be the concatenation of the set of 
temporal link signatures measured between the first ki x k2 transmitter and receiver antennas: 

G" = [g(:^),...,g(:)]. (5) 

B. Difference Metric 

In this section, we define the metric for measuring the difference between the current MIMO link 
signature the FIFO history of previous MIMO link signatures below. The FIFO history T-L for the previous 
MIMO link signatures is defined as 

n = {F"}ti (6) 

or 

n = {G"}1, (7) 
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depending on the MEMO link signature being used. The difference metric we explore in this paper is 

A(F^+^,?/) = -min||F-F^+^|| (8) 
cr Few 

where a is the average distance between link signatures in the history, defined as 

a = ^ V IIF^-F"!! (9) 

iN-l)iN-2) ^ " " 

and is a delay parameter. This delay is inserted to increase the time between the current link signature 
measurement and those in the history. As we show in Section IIV-A[ D > \ helps detection performance 
under use case (1.). In the case of the magnitude-only TLS, the norms in ([8]) and ^ are the £2 norm; for 
the CTLS, these norms are the 02 norm, defined as 

||g-h|U, = min||g-he^''^||,, = ||gf + ||hf - 2||g*h||. (10) 

The 02 norm removes the effect of random phase shifts that occur between subsequent CTLS measure- 
ments. 

We examine various sizes for the FIFO history 'K and the delay D in Sections IIV-BI and IIV-AI 
respectively. Changing these parameters dramatically affects the detection performance of the location 
distinction algorithm. The delay has the effect of increasing the difference between the latest link signature 
and those stored in the history. This is beneficial for location distinction under use case (1.). The FIFO 
history size is chosen to maximize the probability of detecting a change in receiver position, while 
minimizing the probability of misidentifying a stationary receiver as moving. 



C. Real-time Location Distinction 

A real-time location distinction algorithm is defined by the following steps: 

1) Measure the current link signature. 

2) Calculate the minimum difference A between the current link signature and the link signatures in 
the FIFO history U. 

3) Compare the minimum difference A to a threshold 7. If A > 7, raise an alarm to indicate that the 
receiver has moved since the last link signature was measured. If A < 7, do not raise an alarm, 
thereby indicating that the receiver has not moved since the last link signature was measured. 

4) Add the current link signature to a FIFO delay buffer and add the oldest link signature in the delay 
buffer to the FIFO history "H. 

5) Return to step 1. 

The process is illustrated in Figure [U This is a real-time algorithm, but we note that in this paper, we 
first collect all of the link signatures, and then evaluate location distinction in post-processing. 



D. Performance Evaluation 

In this Section, we construct a framework used to apply the metrics described in Section III-BI to the 
link signatures described in Section III-AI in order to test the performance of MIMO location distinction. 
The performance evaluation is conducted using the following steps: 

1) The output of the difference metrics 

= A(F^+^,?/) 

and 

E™ = A(G^+^,H) 
are recorded for stationary and moving receivers. 
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2) We identify the probability of false alarm PpA and probability of detection for each antenna 
subset in reference to a possible difference threshold 7. We define the null and alternate hypotheses, 
Ho and Hi as follows: 

Hq : Receiver has not moved. 

Hi : Receiver has moved. 
We treat E^^^ and E^^^ as random variables and denote their conditional density functions under 
the two events above as /£;(a;|Ho) and /e(x|Hi). The E^^^ and E^^^ for a stationary and moving 
receiver are used to characterize /£;(x|Ho) and /£;(x|Hi) respectively. We calculate Pfa, Pd, and 
Pm as: 



The PpA and Pd as a function of 7 allow us to evaluate how well location distinction would have worked 
if a threshold of 7 was used in the real-time algorithm. Thus the set of possible PfaIPd combinations 
provide a curve of feasible real-time detection performance. 

III. Measurements 

We describe two MIMO measurement experiments. One is performed at Brigham Young University 
[fTOl . and another is performed at the University of Utah. These datasets are used to evaluate the location 
distinction algorithm according to the framework described in the previous section. 

These experiments provide an opportunity to examine the following two use cases for location distinc- 
tion: 

1) A wireless device sends packets while in motion so that each new packet is sent from a distinct 
location. In this case, the location distinction algorithm should detect the change with every new 
packet. Our Experiment I provides MIMO data to test the performance of location distinction in this 
use case. In fact, measurements are made with fine enough spacial resolution that it is necessary 
to delay inserting the most recent measurements into the history FIFO in order to ensure sufficient 
decorrelation between a current measurement and those in the history. 

2) A wireless device sends packets while stationary for a long period of time. Then, a new packet is 
sent from a distinct location, either because the wireless device has moved, or because a second 
wireless device is attempting to impersonate the first from a different location. In either case, the 
location distinction algorithm should detect the change. Our Experiment II provides MIMO data to 
test the performance of location distinction for this use case. 

Under both use cases, in order to simulate MIMO antenna arrays of different sizes and examine the 
associated performance of temporal signature-based location distinction, we compile the MIMO link 
signatures, as in (U) and ([5]), from the subsets of the SISO link signatures, CTLS and TLS, measured with 
1 X A; and A; x A; antenna arrays, where A; G {1, . . . , 8}. At the MIMO receiver, channel measurements are 
made with a period T^. For each measurement taken at the receiver, we calculate the link signatures defined 
in Section III-A[ The number of channel measurements varies with the receiver position. For Experiment 
I, if there are n + \ measurements at a given receiver location, the nth measurement is taken at t = nT^, 
and the nth link signatures are associated with this measurement time. In Experiment II, varies slightly 
around a nominal value of 3.0 s, but we have the exact position of the transmitter and receiver for each 
measurement. 
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A. Experiment I 

The first experiment is conducted at Brigham Young University by Wallace et al. flO]. MIMO channel 
data are collected using an 8x8 MIMO channel sounder in which a multi-tone baseband signal is mixed 
with a carrier frequency of 2.55 GHz and transmitted to stationary and moving receivers. The transmitter 
is stationary for these measurements. The multi-tone signal is constructed as follows: 

B 

XB{t) = ^COs{2TlUt + 9i) (11) 



1=0 



where i? = 39 and 

/. = (i + 0.5) MHz (12) 

and 6i is a fixed random phase shift between and tt included for each tone in order to spread the signal 
energy in time [QTI . The signal XB{t) is multiplied by a Gaussian window to combat artifacts generated 
by switching the signal on and off. 
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Fig. 2. Diagram of a subset of receiver locations from Experiment I. Circled numbers represent the receiver locations for individual 
measurement sets. DO or DC indicate door open or door closed, respectively. 

The transmitter and receiver each use a uniform circular array of eight monopole antennas. These arrays 
have a nominal element spacing of A/2 (where A is the wavelength) and are well synchronized in both 
carrier frequency and phase. The wideband channel frequency response H{f) for each antenna pair is 
computed by dividing the Fourier transform of the measured signal by the Fourier transform of the known 
transmit signal and separating the results into bins which correspond to the tones in the transmitted signal. 
The wideband channel impulse response is calculated as 

h{n)=T-\H{f)}. (13) 

where represents the inverse discrete-time Fourier transform. Channel measurements are collected 

at eight different receiver locations on a single floor of an office building. Figure [2] is a diagram showing 
the first three receiver locations. The circled numbers represent each location. 

In this experiment the receiver is in motion while the transmitter is stationary. We discussed in Section IJ 
applications which detect a moving transmitter using stationary receivers, and the reciprocity of the radio 
channel allows us to view these measurements as if this were the case [lT2l . [|T3l . 

In the cases where the receiver is moving, it moves with a speed of 31.75 cm/sec. At each receiver 
location, between 390 and 585 measurements are made. In the measurements made with a moving receiver, 
the multi-tone probe is sent every 3.2 ms, or given the receiver speed of 31.75 cm/sec, every 1.016 mm. 
These dense (spatially and temporally) measurements are the reason we delay {D) inserting the most 
recently measured link signature into the history 1-L. As we show in Section |IVl the performance of 
location distinction improves when this delay is increased, or equivalently, when the current location of 
the receiver is further from its location during the measurement of the most recent link signature in 1-L. 



7 



B. Experiment II 

The second experiment is performed at the University of Utah. Channel measurements are made using 
a MIMO-OFDM transceiver implemented with a National Instruments vector signal generator (VSG) and 
vector signal analyzer (VSA) and Labview software. 

The transmitted signal is designed to emulate the IEEE 802.1 In standard [fT4l . It is an OFDM signal 
and has 64 subcarriers contained in a total bandwidth of 20 MHz (312.5 kHz per subcarrier). These 
include four null subcarriers over which the channel is not estimated (subcarrier indices -32, -31, 0, and 
31). Each data symbol is 4.0 /is long consisting of a 3.2 /is data symbol and a 0.8 /xs cyclic prefix. 

The frame (timing) synchronization, carrier offset recovery, and channel estimation are aided by a 
preamble. We use the greenfield preamble described in the physical layer specification of the IEEE 802. 1 In 
standard, but we omit the high throughput signal field. This field is normally used to convey MAC 
information regarding the coding, modulation scheme, etc., and isn't necessary for the channel estimation 
required by this experiment. The preamble consists of an 8.0 /iS periodic signal with a short period (0.8 /is) 
for coarse carrier acquisition and coarse frame synchronization. This is followed by 8.0 /iS of a periodic 
signal with a long period (3.2 /xs) used for fine carrier acquisition and fine frame synchronization. Moose's 
method is used for frame synchronization and carrier recovery [fTSl . [|T6l . 

The MIMO channel state is estimated using mutually orthogonal sequences. After the long period 
signal, the transmitter sends to each antenna mutually orthogonal sequences of symbols generated with 
Walsh-Hadamard codes for each subcarrier. Each of these sequences has a duration of 4.0 /is, which 
includes a 0.8 /xs cyclic prefix. A minimum mean-squared-error (MMSE) channel estimation algorithm 
with a structure derived from the MMSE estimator in [17] is employed. Compared to the estimator in 
[fTTl . we increase the number of transmit symbols used for estimating the channel from two symbols (for 
a 2x2 system) to four symbols. 

At the receiver, following carrier acquisition and frame synchronization, the mutual orthogonality of the 
symbol sequences allows the receiver to quickly invert the received signal information at each subcarrier 
by performing a single matrix multiplication per subcarrier. This provides an estimate of the channel 
response for each pair of antennas at each subcarrier, which are the estimates used for this analysis. 
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Fig. 3. Diagram of Experiment IL Circles represent receiver locations, diamonds represent transmitter locations. The outer line represents 
the wall of the room. Channel measurements are made at each transmitter/receiver location. Desks, equipment, and other scatterers are 
present, but not depicted in this diagram. 

The data are collected in the Wireless Communication Lab at the University of Utah, an open plan office 
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Fig. 4. Link signatures measured (a) over time at a stationary receiver and (b) at a moving receiver. The signatures measured at a moving 
receiver fluctuate more than those measured at the stationary receiver. 
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Fig. 5. Empirical distributions of Ef for stationary and moving receiver from (a) Experiment I with 8x8 CTLS, and (b) Experiment II with 
the 2x2 CTLS. In both cases the mean difference metric for a moving receiver is significantly higher than for a stationary receiver. 



lab containing desks, bookcases, chairs, and measurement equipment. We take measurements at eighteen 
different receiver locations and four different transmitter locations, as shown in Figure [3l resulting in a 
total of 3600 measurements of 72 distinct radio links. We choose a center frequency of 2.42 GHz and use 
whip antennas separated by 15.24 cm for the transmitter and receiver antenna arrays, placed at height of 
0.91 m. 

IV. Results and Discussion 

We present and discuss the results of Experiments I and II in the context of four link signature 
characteristics. 

A. Spatial Distance 

The results of both experiments show that differences in spatial location between link signatures are 
more significant than the temporal variations in link signatures measured for static receivers. In other 
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Fig. 6. (a) Average £2 and 02 -distances between 8x8 MIMO CTLS as a function of spacial separation. The average i?2-distance peaks at a 
receiver separation of roughly A/2, (b) Average difference metrics E for 8x8 CTLS/TLS as a function of spatial separation. 

words, changing the position of the transmitter/receiver has a significant effect on the measured link 
signatures. Figure |4] shows the magnitudes of the 1x1 TLS measured at a stationary or moving receiver 
in Experiment 1. The variation of the signatures for the moving receiver is more significant. In the case 
of the MIMO TLS, the same effect can be seen in the empirical distributions of the difference metric ([8]). 
These distributions are shown in Figure |3a). The mean difference metric is much higher in the case of 
a moving receiver. The same result can be seen in the empirical distributions of the difference metrics 
calculated for Experiment II. These distributions are shown in Figure I2b). 

Figure [6t a) shows the average ^2 and 02 distances between 8x8 MIMO CTLSs as a function of receiver 
separation where the 02 distance is defined in (fTOl) . The average £2-distance reaches a maximum at a 
separation of approximately A/2, and then oscillates with a period of A. This result agrees with a result of 
the Clarke fading model, which assumes incoming multipath are uniformly distributed about the receiver 
[fT8l . The average 02-distance peaks at a receiver separation of about A and the oscillation is mitigated 
by the phase rotation inherent in the </)2-distance. Figure |6tb) shows the average difference metrics E as 
a function of receiver separation. These results indicate that the difference metrics perform best in the 
case where the receiver has moved a wavelength or more between measurements. In the context of an 
impersonation attack, this is typically the case. 

B. History Size 

The size of the history buffer "H is a parameter which should be chosen in order to provide the best 
location distinction performance. For this work, we select a range of history sizes to examine in both 
experiments and identify the best size heuristically. However, the optimal number of signatures to inlcude 
in the history is a function of the the difference metric being used and the distribution of the differences 
measured under Hq and Hi. Because of the minimum operator in ([8]), increasing the history size can only 
lower the average difference metric under both hypotheses. 

Figure |7];a) shows the receiver operating characteristic (ROC) curve of the location distinction algorithm 
for the 8x8 MIMO CTLS and various history sizes. In this case, the best performance corresponds to 
a history containing fifteen previous link signatures. Figure Ul^) shows the ROC curve of the location 
distinction algorithm for the 2x2 CTLS of Experiment II and various history sizes. In this case, a history 
size of five offers the best performance. 

The differences measured under Hq in Experiment I have a significantly higher mean/variance than 
those measured under the same hypothesis in Experiment II, indicating that the temporal variations of 
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Fig. 7. ROC curves for (a) Experiment I: 8x8 MIMO CTLS and (b) Experiment II: 1x1 CTLS for various history sizes. In Experiment I, a 
history size of 15 link signatures yields the best performance. In Experiment II, a history size of 5 link signatures yields the best performance. 



the link signatures measured for a stationary receiver in Experiment I are more prominent than those 
in Experiment II. Therefore, a larger history size is necessary in Experiment I in order to capture the 
temporal variations of the stationary receiver. 

C. Number of Antennas 

The results show that as the size of the MIMO antenna array is increased, the performance of the 
location distinction algorithm improves. This is consistent with the simulation results of [8J, which used 
ray-tracing simulations to show that the average miss rate in a location distinction system decreases with 
the number of antenna elements. 

Figures [8ta) and [8tb) show the location distinction ROC curves for the data from Experiment I and 
different sized MIMO antenna arrays. Figures [Sj^c) and[8td) show the ROC curves for the same experiment, 
but using SIMO arrangements. The trend in these figures is toward better location distinction performance 
with the increase in size of the MIMO antenna array. Figure |9] shows miss rates for a given false alarm 
rate and various SISO, SIMO, and MIMO arrays. The miss rates appear to follow the inverse power law 

where h and m are parameters that define the rate that the probability of missed detection approaches zero 
with the number of MIMO channels. A least-squares approximation yields h ~ 10"^ ''^ and m ^ 0.93 
for the data in Figure |9l As a rule of thumb, the achievable miss rate for a constant false alarm rate is 
approximately inversely proportional to kik2, the number of channels. 
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Fig. 8. ROC curves for (a) MIMO TLS (b) MIMO CTLS (c) SIMO TLS and (d) SIMO CTLS for various antenna array sizes. Location 
distinction performance improves with ttie number of antennas and the MIMO CTLS performs better than the MIMO TLS. The SIMO 
signatures nearly match the performance of the MIMO signatures. 
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Fig. 9. Experiment I: Probability of missed detection for a 2 x 10 ^ probability of false alarm vs. kik2 for different SISO, MIMO, and 
SIMO arrays. 
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The most drastic improvement in the miss rate occurs in the change from a SISO channel to a 2x2 
MIMO or 1x4 SIMO channel. Table IJ shows the improvement of the location distinction algorithm in a 
2x2 MEMO channel over the SISO channel in Experiment I. There is as much as a 108-fold reduction in 
the miss rate for a constant false alarm rate when changing from SISO to 2x2 MEMO. 

D. MIMO CTLS and TLS 

In comparing Figures [8ta) and[8tb), it is also apparent that the MIMO CTLS and its associated difference 
metric leads to better performance than the MIMO TLS in Experiment I. Table |I] shows the improvement 
of the location distinction algorithm when using the MIMO CTLS instead of the MIMO TLS. Using the 
MIMO CTLS results in as much as a 133-fold reduction in miss rate for a constant false alarm rate. 

This result is also confirmed in Experiment II, as shown in Table HI In Experiment II, the 1x1 CTLS 
results in a 3.5-fold improvement in miss rate over the 1x1 TLS. The 2x2 TLS and 2x2 CTLS both reach 
the lowest measurable miss rate in Experiment II. 

E. Link Signature Bandwidth 

Another crucial parameter in both experiments, and typically a limiting factor in radio design, is 
system bandwidth. We examined the performance of the location distinction algorithm over a range of 
bandwidths by varying the number of tones included in the IFFT of the frequency-domain measurements 
from Experiment I. This is similar to varying B in (fTTI) . 
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Fig. 10. Location distinction miss rate vs. link signature bandwidth for a 7 x 10"* false alarm rate in Experiment I. Increasing bandwidth 
offers diminishing returns. 

Figure [10] shows that performance typically improves with bandwidth, but it does so with diminishing 
returns. This is consistent with the simulation results of [8J, which show that the miss rate of a location 
distinction system decreases with system bandwidth, but that the performance gain of MIMO over SISO 
also decreases, because at high bandwidths the SISO link signatures offer more decorrelation. 

However, at high bandwidths the algorithm is more sensitive to timing- synchronization errors that might 
be hidden by lower bandwidth signatures. Figure [TT] shows an example of two consecutively measured link 
signatures that exhibit this effect. These errors cause small drops in performance. The higher bandwidth of 
the link signatures measured in Experiment I (80 MHz) allows for better location distinction performance, 
but the results for the 2x2 MIMO link signatures of Experiment II (20 MHz) still offer a 3 x 10"^ 
probability of missed detection for a 7 x 10^'^ probability of false alarm. 
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Fig. 11. Two consecutive link signatures with 80 MHz bandwidth showing the results of a timing-synchronization error. The time-resolution 
of high-bandwidth link signatures cause an increased impact on location distinction performance. 

V. Related Work 

The papers discussed in this section have contributed to this work in different aspects. The most closely 
related work is that of Patwari et al. |[T1 and Zhang et al. |I3. In these two papers, a temporal link signature 
is defined to be used in the context of multiple transmitters/receivers and then refined to include phase 
information. We compliment that work by showing that a single MIMO transmitter/receiver pair can be 
used to perform reliable location distinction, and that lower false alarm rates are possible using a single 
receiver, when the communication system is a 1x2 or 2x2 MIMO system. In [7], the authors report a 
9 X 10^^ miss rate for a 0.01 false alarm rate using three receivers. For the same false alarm rate, we are 
able to achieve a 3 x 10~^ miss rate using a single receiver and the 2x2 MIMO CTLS with less bandwidth. 
This net reduction in system complexity may enable location distinction in future wireless networking 
systems. 

In [7] a complex temporal link signature is defined which allows for the exploitation of the phase 
information in the CIR. However, not all of the phase information represented by the link signature is due 
to the channel. Some phase shifts occur due to a lack of time and/or frequency synchronization between 
the transmitter and receiver. The distance between two link signatures which minimizes the contribution 
of random phase shifts corresponds is shown to be (flOl) . Zhang et al. call this the 02-distance. It is not 
necessary to apply (flOl) to the data gathered in Experiment I, because it is phase-synchronous, but we do 
apply it to the data from Experiment II. 

In [8J, Xiao et al. present ray-tracing simulation results for MIMO location distinction in defense of 
impersonation attacks in an office building. They assume that channel measurements made in the frequency 
domain are distributed as complex Gaussian random variables and derive ideal change metrics based on 
this assumption. We extend this work by offering an experimental validation of MIMO location distinction 
using two MIMO testbeds. 

In L6], Li et al. propose some of the underlying ideas of this work, namely, that characteristics of the 
radio channel (rapid de-correlation in space, time, and frequency) can be exploited to secure wireless 
networks. They offer methods of probing the channel in order to determine, based on the channel gains 
between transmitters and receivers, whether or not communications are coming from an authentic user or 
a would-be attacker. Using the USRP/GNU Radio and a simple change-point detector, they show that they 
are able to detect a change in the wireless link via channel gains and thereby detect a possible spoofing 
attack. 

In [SI, Faria and Cheriton utilize similar principles in designing a method for identifying a transmitter by 




14 



its signalprint, which consists of a vector of RSS values. These RSS values are gathered using wireless 
access points as sensors and a central authentication server for cataloging and comparing signalprints. 
Their results show that a stationary transmitter will produce a consistent signalprint and thereby allow for 
discrimination between authentic users and attackers whose signalprints will vary significantly because 
they are located in a different position in the multi-path fading channel. The signalprint is limited in that 
it may be unable to detect attackers located near authentic transmitters, because they may have a similar 
signalprints. 

VI. Conclusion and Future Work 

In this paper we show that techniques for location distinction can be applied to a MIMO channel. 
Using two distinct measurement sets, we show that a simple linearization of the link signatures for each 
transmitter/receiver antenna pair can be used to form MIMO link signatures, and that difference metrics 
can be used to determine whether or not a wireless device has changed position. Our results show that 
the presented MIMO location distinction framework can be used to discern a stationary transmitter from a 
moving transmitter with accuracy better than any previously reported experimental results. We also show 
how the adjustment of the parameters of the location distinction algorithm (history size, spatial separation, 
complex/magnitude-only signatures, and number of antennas) affect the performance of the algorithm. 

In addition to the promising results we have shown, it will be beneficial to further characterize the 
link signatures used for location distinction and explore other difference metrics. For instance, our current 
difference metric uses the minimum Euclidean or 02-distance between the most recent link signature and 
those in the history l-i. This tends to increase the miss rate in the context of noisy measurements. A 
weighted average of distances, such as the Mahalanobis distance may offer better performance. A broader 
experimental analysis of link signatures and their temporal and spatial variations will facilitate the design 
of better difference metrics. 
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